Page 1 of 3 123 LastLast
Results 1 to 15 of 33

Thread: Series 3 PROM Hack

  1. #1
    Join Date
    Jan 2005
    Location
    Narnia
    Posts
    1,263

    Series 3 PROM Hack

    Important Note: This method requires removing the SST37 PROM chip from the Series-3 motherboard, which is difficult and may end up rendering your (expensive) Tivo useless!

    Inferring some info from the DT PROM hack thread, I managed to get some work done on the Series 3 TCD648 PROM v3.16. Like the SD Dual-Tuner model, the S3 has a compressed image as part of the bootup code. As mrpenguin describes in the other thread, First there is a check code you need to disable. For v3.16 PROM this should be at 0x6D4C.

    Then you need to locate the gzip signature 1F 8B 08 (the 08 indicates max compression) within the binary PROM code which marks the compressed portion and save it out seperately from the rest of the PROM code for further editing. I did this by using the editor to delete everything before the gzip portion begins, and save as a new binary file. For v3.16 PROM this compressed portion should begin at 0xB5C8.

    Then you must unpack this compressed portion, edit the hex, and recompress with gzip -9n. Be wary of compressor tools which want to add flags and comments to your re-compressed image since the original PROM has none of that. I don't know how well the S3 would handle extra cruft. I ended up using plain gzip within cygwin.

    Use the editor to glue your newly compressed image back into the original PROM code at the same place the old image was. Save it and burn to a new chip.

    Code:
    First edit (hex):
    Address  Orig_Value   Change_Value
    0x6D4C	 04 40 00 12  00 00 00 00
    Code:
    Edit within gzip compressed portion:
    Addr   Orig_Value   Change_Value
    0x31B8 10 43 00 0A  10 00 00 0A
    (Note that address 0x31B8 is from the beginning of the smaller binary file after you've chopped this piece of PROM clean away from the rest and uncompressed it. Be sure to re-compress with gzip -9n when you're finished here)

    Added confusion since the target code 10 43 00 0A is found twice within the internal compressed image -- Once at 0x31B8 (which I edited) and another at 0x8BBC (which I left alone). Discussion on how important this might be can follow.

    Once you've verified your S3 Tivo still boots, you can pull the drive and use mrblack's venerable replace_initrd on the hard drive's boot kernel.

  2. #2
    Join Date
    Jan 2005
    Location
    Narnia
    Posts
    1,263
    So what actually works on a "hacked" S3? It's late and I haven't spent much more than a few minutes verifying telnet. I've only loaded AlphaWolf's All-in-One utilities (busybox and other useful stuff) and tried ls and vi. The busybox version of vi is of course still broken, but works well enough to edit files on the Tivo.

    I'm guessing that a number of S2 MIPS programs will run.

    EDIT: A couple more things found which work. TivoWebPlus 2.0 and caller-ID via TivoNCID. Also MFS_FTP runs with the same series-2 tweaks, although it seems to be of very limited usefulness right now.
    Last edited by Narf54321; 02-13-2007 at 12:33 PM. Reason: Added clicky-link goodness, found more stuff which works

  3. #3
    Join Date
    Dec 2003
    Posts
    267
    Awesome work! Now I may have to seriously think about upgrading to an S3... Time to research exactly what this box can and can't do.

    P.S. Any chance of someone burning new PROMs for those of us that don't have the equipment to do so? For a small fee, of course...

  4. #4
    Join Date
    Nov 2004
    Posts
    221
    Great job! I bet you are psyched! you should be!

    Congrats!

  5. #5
    Join Date
    May 2003
    Posts
    63
    Great work!

    I am curious -- is this prom socketed? I am ordering my S3 this week and look forward to trying this out.

    Thanks,
    DD
    Even I donated because this place has saved me more time and money than I could even count...

  6. #6
    Join Date
    Jan 2004
    Location
    Noo Hampsha
    Posts
    767
    It is not socketed unless you socket it.
    Steve

  7. #7
    Join Date
    Jan 2005
    Location
    Narnia
    Posts
    1,263
    Removing (i.e. desoldering) the S3 PROM and installing a socket should be performed very carefully. There are little surface-mount components which are much closer to this chip on the S3 than on the previous model 2.5 "nightlight" and R10 motherboards.

  8. #8
    Join Date
    Dec 2005
    Posts
    31
    No way to reprogram the chip in place I guess??

  9. #9
    Join Date
    Jan 2005
    Location
    Narnia
    Posts
    1,263
    Tivo uses an SST37VF010 model PROM chip, which requires 12 volts on the A9 pin to erase for reprogramming. I don't know if Tivo supplies the required equipment to erase "in-line" at the higher voltage. And you run into the catch-22 issue of how to issue an 'erase' command if you haven't already exploited the box. And the fact that although there appears to be an official Tivo linux tool which can read from the PROM, Tivo doesn't seem to have included anything to write an image onto the PROM.

    Seems to me rigging a wiring harness or something to reprogram the PROM on the motherboard is more difficult and potentially more dangerous to the board than simply socketing.

    I've done a few sockets in my time, and I've always replaced the original chips with the SST39's which are erased and reprogrammed at ~3.3volts. Once socketed, you can boot into the fixed machine and theoretically use something like homieflash to do PROM updates.
    Last edited by Narf54321; 01-22-2007 at 02:20 AM.

  10. #10
    Join Date
    Dec 2005
    Posts
    31
    I've been doing some research on the S3 board and chip. The chip is a 32pin PLCC form factor. A bit easier to work with than a (SMT) surface mount chip in the S2 series.

    I've inquired among several commercial component level repair shops and the going rate to remove the S3 chip and replace it with a socket has so far been about $70-80 (provided I supply the socket). The prices quoted all seem to be the going minimum rate for an hour's work.

    If someone is able to hack the code succesfully, I'll agressively pursue a shop to get the price down to something more reasonable. I would think something in the $40-50 range would be more palatible.

    If you're brave enough to do it on your own, a company called Chipquik makes a kit for desoldering SMD chips. http://www.chipquik.com/newsletters/..._june_2004.htm I've written them to ask if their product will work equally as well on PLCC chips. PLCC chips are soldered through holes in the board. Surface mount chips sit on pads atop the board.

  11. #11
    Join Date
    Aug 2004
    Posts
    4,075
    Quote Originally Posted by avpman View Post
    I've been doing some research on the S3 board and chip. The chip is a 32pin PLCC form factor. A bit easier to work with than a (SMT) surface mount chip in the S2 series.
    It's the same chip and form factor as the Series2. They are both surface mount PLCC-32. Here are some sources for parts.

    ...
    If someone is able to hack the code succesfully,
    ...
    Narf already did that.

    ...
    PLCC chips are soldered through holes in the board. Surface mount chips sit on pads atop the board.
    I think you are confused. Have you examined a Series3 motherboard?
    Last edited by Jamie; 01-24-2007 at 01:06 PM.

  12. #12
    Join Date
    Dec 2005
    Posts
    31
    Quote Originally Posted by Jamie View Post
    It's the same chip and form factor as the Series2. They are both surface mount PLCC-32. Here are some sources for parts.


    Narf already did that.

    I think you are confused. Have you examined a Series3 motherboard?
    1) Do we have independent confirmation that Narf's hack has worked?

    2) Can we get a way to get the code or someone willing to burn a PROM for further testing?

    3) I'm willing to help in any way I can. I'll get the blank chips, sockets and a burner if someone can give me instructions on what to do. (I follow instructions well. And I'm fairly bright).

    4) I opened my S3. I am looking at the chip in position U6 on the board. The sticker on the chip says "CBOM-0013-00 V3.16 rel". Underneath the sticker the chip is identified as an SST "37VF010-70-3C-NH". Curiously, there is an outine on the board for a socket. Am I looking at the right chip? If I'm not looking at the right chip, then disregard my self-assesment in comment #3 above

  13. #13
    Join Date
    Jan 2005
    Location
    Narnia
    Posts
    1,263
    Quote Originally Posted by avpman View Post
    1) Do we have independent confirmation that Narf's hack has worked?
    Ah, a scientist ... I see.
    You don't necessarily have to take my word for it, but yes the PROM hack works (else I wouldn't have posted). I'm a bit hesitant to post actual binaries at this time, but there's nothing wrong with instructions for other owners.

    Quote Originally Posted by avpman View Post
    2) Can we get a way to get the code or someone willing to burn a PROM for further testing?
    You get the code off the original SST37 prom. And monkey it with a hex editor -- I used XVI32 myself.

    As far as 'testing', the S3 behaves much like a MIPS S2 machine, there's just more RAM available. It seems to be pretty much the same Linux setup. TivoWebPlus 2.0 runs, but most of the modules don't work right.

    Quote Originally Posted by avpman View Post
    3) I'm willing to help in any way I can. I'll get the blank chips, sockets and a burner if someone can give me instructions on what to do. (I follow instructions well. And I'm fairly bright).
    I got one of those knockoff Willem programmers off eBay. It works well enough, just be sure you get one with the PLCC32 socket. Jamie even mentioned in another thread that there are cheap IDE controllers (SI I think) with programmable PLCC32 sockets.

    Or an old S2 DirecTivo laying around already socketed, and use ADH's homieflash.

    Personally, I recommend using the SST39's as replacement chips. The 37's require 12volts to reprogram and I've had trouble setting that up with my programmer. The 39's can be erased and reprogrammed easily at 3.3volts, and once installed should be able to be homieflashed in the future if needed.

    A side note on sockets: Do NOT get the sockets with posts on the bottom. There are no holes on the Tivo board to fit them.

    Quote Originally Posted by avpman View Post
    4) I opened my S3. I am looking at the chip in position U6 on the board. The sticker on the chip says "CBOM-0013-00 V3.16 rel". Underneath the sticker the chip is identified as an SST "37VF010-70-3C-NH". Curiously, there is an outine on the board for a socket. Am I looking at the right chip? If I'm not looking at the right chip, then disregard my self-assesment in comment #3 above
    Yeah, its nice they masked off the socket area already for us, isn't it. It's the same SST chip they've used in the S2, and the S1 before that.

    According to the sticker, you've got the v3.16 release, which is good. My instructions (see first post) rely on the 3.16 PROM code, so if Tivo ships out a newer code version the exact hex locations will likely be different.

  14. #14
    Join Date
    Dec 2005
    Posts
    31
    Check your PM - Thanks

  15. #15
    Join Date
    Nov 2004
    Posts
    6
    They probably used sockets for the prototypes so they could swap ROMs quickly for debug.
    Hmm... I've got a really early S3, I wonder if it has a socket... Even basic web control of it would be nice... being able to take a few shows with me on the road would be really nice.
    Just 35 weeks until my warranty expires.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •